2016-07-28 - PSEUDO-DARKLEECH NEUTRINO EK SENDS CRYPMIC RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-07-28-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-ransomware-3-pcaps.zip   582.2 kB (582,199 bytes)

• 2016-07-28-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-ransomware-first-run.pcap   (424,381 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-ransomware-second-run.pcap   (445,305 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-sends-CrypMIC-ransomware-third-run.pcap   (426,931 bytes)

• 2016-07-28-pseudoDarkleech-Neutrino-EK-and-CrypMIC-ransomware-files.zip   390.3 kB (390,348 bytes)

• 2016-07-28-CrypMIC-ransomware-decrypt-instructions.BMP   (3,276,854 bytes)
• 2016-07-28-CrypMIC-ransomware-decrypt-instructions.HTML   (238,187 bytes)
• 2016-07-28-CrypMIC-ransomware-decrypt-instructions.TXT   (1,659 bytes)
• 2016-07-28-page-from-orthopet_net-with-injected-script-first-run.txt   (20,845 bytes)
• 2016-07-28-page-from-orthopet_net-with-injected-script-second-run.txt   (20,901 bytes)
• 2016-07-28-page-from-orthopet_net-with-injected-script-third-run.txt   (20,856 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-flash-exploit-second-run.swf   (77,984 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-flash-exploit-third-run.swf   (77,357 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-landing-page-first-run.txt   (2,446 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-landing-page-second-run.txt   (2,380 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-landing-page-third-run.txt   (2,352 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-ransomware-first-run.dll   (73,728 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-ransomware-second-run.dll   (73,728 bytes)
• 2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-ransomware-third-run.dll   (73,728 bytes)

 

BACKGROUND ON THE PSEUDO-DARKLEECH CAMPAIGN::

• Something I wrote on exploit kit (EK) fundamentals:  link
• 2016-03-22 - PaloAlto Networks Unit 42 blog:  Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond
• 2016-07-02 - SANS ISC diary:  Change in patterns for the pseudoDarkleech campaign

 

BACKGROUND ON CRYPMIC RANSOMWARE:

• 2016-07-06 - SANS ISC diary:  CryptXXX ransomware updated   [The date I first noticed this new branch of ransomware.]

• 2016-07-14 - From the Proofpoint blog [link]: "We believe that CryptXXX is in active development and possibly split off into two branches. The original branch is now up to version 5.001 (we wrote about the upgrade to version 3.100 near the end of May), while the new branch uses a different format for versioning and will require further analysis."

• 2016-07-20 - TrendLabs Security Intelligence Blog - CrypMIC Ransomware Wants to Follow CryptXXX's Footsteps   [TrendLabs analyzes the new branch and names it.]

Shown above:  One of my recent tweets.

 

Shown above:  Flowchart for this infection traffic.

 

TRAFFIC

Shown above:  Traffic from the first pcap filtered in Wireshark.   Wireshark filter: http.request or (!(tcp.port eq 80) and tcp.flags eq 0x0002)

Shown above:  Traffic from the second pcap filtered in Wireshark.

Shown above:  Traffic from the third pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• orthopet[.]net - Compromised site
• 207.244.95[.]137 port 80 - waterwijdinghexadentate.cladyoudid[.]co[.]uk - Neutrino EK, first run
• 69.64.80[.]148 port 80 - breighnertransvolga.procladpanels[.]co[.]uk - Neutrino EK, second run
• 178.33.6[.]108 port 80 - xtresourcelist-hdts.magnagen[.]co[.]uk - Neutrino EK, third run
• 193.111.140[.]100 port 443 - CrypMIC ransomware post-infection traffic (custom encoded and clear text, not SSL/HTTPS)

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• ccjlwb22w6c22p2k[.]onion[.]to
• ccjlwb22w6c22p2k[.]onion[.]city

NOTE: These are the same domains seen from CrypMIC ransomware samples two days ago on 2016-07-26.

 

FILE HASHES

FLASH EXPLOITS:

• SHA256 hash:  4d4e1db0f127a72461857fe42a436e0e00b173b697c359e13a12501e2a13f9cb
  File name:  2016-07-28-pseudoDarkleech-Neutrino-EK-flash-exploit-second-run.swf

• SHA256 hash:  6c953bae7cc5f34502577c34044eadf2bfa6c05e377e4210b3261469c95bb532
  File name:  2016-07-28-pseudoDarkleech-Neutrino-EK-flash-exploit-third-run.swf

PAYLOADS:

• SHA256 hash:  f49098abcf55904395e374335ebb749f9e2efed7444471fdcd84fdee6b24d601
  File name:  2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-ransomware-first-run.dll

• SHA256 hash:  2f913bd1dad8d4249cf08d4f38d3632d702a35beb76e6f452869ca076644eb57
  File name:  2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-ransomware-second-run.dll

• SHA256 hash:  6964a8d4d57be735517facac1e092665ae6c5228e5a5fe14af026f0c30794e57
  File name:  2016-07-28-pseudoDarkleech-Neutrino-EK-payload-CrypMIC-ransomware-third-run.dll

 

IMAGES

Shown above:  Injected script in page from the compromised site, first run.

 

Shown above:  Injected script in page from the compromised site, second run.

 

Shown above:  Injected script in page from the compromised site, third run.

 

Shown above:  Desktop of the infected Windows host.

 

Shown above:  Two .KEY files in the user's AppData\Local\Temp directory.

 

Shown above:  Going to the decryption instructions site.

 

Click here to return to the main page.